3

I was wondering what the syntax was in PHP to update a row in a PostgreSQL database. I have made a login page that checks a UserName and Password from a database, then it goes to a page where it displays all the user info from the database for that user name. I am trying to allow the user to change some of the columns, like password, name, etc. So I added another page that has fields for each of the columns I want to change.

This is the code I have for the query:

if(array_key_exists('save',$_POST))
{
$firstname=$_POST['ifirstname'];
$lastname=$_POST['ilastname'];
$email=$_POST['iemail'];
$password=$_POST['ipassword'];

    $conn_string='host=#### port=#### dbname=###### user=####### password=######';
    $dbconn=pg_connect($conn_string) or die('Connection failed');

$query="UPDATE project.customer SET FirstName='$firstname',
LastName='$lastname',Email='$email',Password='$password')
    WHERE UserName=$1";

    $result=pg_query($dbconn,$query);
    $row_count= pg_num_rows($result);
            pg_free_result($result);
        pg_close($dbconn);
   }

This is for the fields:

    <div id="header">UPDATE USER INFO</div>
    <form id="testform" name="testform" method="post" action="" >
        <p> <label for="ifirstname">First Name:</label> 
          <input name="ifirstname" type="text" id="ifirstname"/>
      </p>
        <p> <label for="ilastname">Last Name:</label>
          <input name="ilastname" type="text" id="ilastname"/>
      </p>
        <p> <label for="iemail">E-Mail:</label>
            <input name="iemail" type="text" id="iemail"/>
        </p>
        <p> 
            <label for="ipassword">Password:</label>
          <input name="ipassword" type="password" id="ipassword"/>
      </p>
        <p> 
            <label for="iconfpass">Confirm Password:</label>
          <input name="iconfpass" type="password" id="iconfpass"/>
      </p>
        <p> 
            <input type="submit" name="save" value="Register"/>
        </p>
    </form>
Improve this question
3
  • $1 is what kind of variable? Commented Apr 1, 2012 at 18:06
  • You need to make sure you escape your strings. I can't stress enough how important that is to prevent SQL-injection attacks. You can use either something like PHP's addslashses() or PDO parameterized queries. Commented Apr 1, 2012 at 18:22
  • 1
    Why don't you use pg_query_params() to avoid SQL injection? addslashes() isn't 100% safe and PDO is only useful when you support multiple databases brands. Commented Apr 1, 2012 at 18:52

2 Answers 2

Reset to default
2

I think it must be like this. Also make user to write old password when changing data for security reason. Also dont forget to filter your data before using in query to avoid sql injection attacks

$query="UPDATE project.customer 
        SET (FirstName,LastName,Email,Password) = 
        ('$firstname','$lastname','$email','$password')
        WHERE UserName= '$1' and Password = '$oldpassword'";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Why not just use standard SQL syntax?

Update project.customer Set
    "FirstName" = '$firstname',
    ...
Where ...

The main difference in Postgres is that you usually quote the column names.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.